Google Vault is a powerful eDiscovery and retention tool that allows administrators with the appropriate permissions to search and manage:
- Gmail messages
- Google Groups posts
- Most files in Google Drive and shared drives
- Conversations in Google Chat (with history turned on)
- Google Meet recordings
What You'll Learn
In this article, you will learn how to manage and secure access to Google Vault, set up a workflow to prevent abuse and ensure compliance with your institution's data policies.
Vault's capabilities extend far beyond the initial setup. Proper configuration is essential to maintain security, accountability, and compliance within your organization. This article will guide you through best practices for managing access to Vault and establishing a workflow that minimizes the risk of misuse.
Securing Access to Google Vault
Google Vault provides powerful tools for managing and retrieving data, but with great power comes great responsibility. It's crucial to ensure that only the necessary personnel have access to Vault and that admins grant thoughtful access.
Restrict Vault Access with Access Groups
-
The first step in securing Vault is to control who can access it. Start by turning OFF Vault at the root of your Organizational Unit (OU) structure.
From the Admin Console: Navigate to Apps> Google Workspace > Google Vault. Click on the Service Status card. Select the Root OU and click OFF for Everyone and click Save.
Note: Disabling Vault at the root does not affect existing retention policies; it simply removes the ability for users to access Vault. - Next, create a dedicated Google Group for users who need access to Vault. Add only the required users to this group, and tighten the access settings to ensure security.
From the Admin Console: Navigate to Directory > Groups. Here, the groups list is paginated, letting you view 20 groups per page. Click Create group above the list to create a group. Create the group using the stepper. - Once established, turn ON Google Vault access only for this specific group. This ensures that only authorized users can interact with Vault.
From the Admin Console: Navigate to Apps> Google Workspace > Google Vault. Click on the Service Status card. Select Groups at the left, then search for and select the Vault access group you created. Click ON and click Save.
Establishing Accountability: The Vault Access Workflow
While limiting access is a good start, accountability remains a key concern. Without proper oversight, even authorized users could potentially misuse their access to Vault. Google Workspace now restricts Super Admins from accessing all of Vault's privileges unless explicitly enabled, but additional safeguards are recommended.
Create a Vault Access Workflow
A structured Vault Access Workflow divides responsibilities among different users, each with specific roles and permissions. This process reduces the risk of unauthorized actions and helps ensure that all Vault activities are legitimate.
Types of Personas in Vault Access:
- Requesters: Principals, HR managers, or other administrators who need specific information for legal, compliance, or internal investigations.
- Vault Admins: Individuals responsible for executing investigations and exporting data as requested.
- Vault Owners: Senior staff who approve investigations, manage retention policies, and audit Vault activities.
Assign the Right Roles
See, Set up Vault privileges for more information.
Requesters should have a formal process to request information, such as through a Google Form or a support ticketing system.
Vault Admins should have permission to manage matters, holds, searches, and exports. For institutions with multiple campuses, access can be restricted by Organizational Unit (OU).
- From the Admin Console: To set role privileges, navigate to Account > Admin roles. Search for and select the role, then Privileges card. Scroll down to the Google Vault section.
- From the Admin Console: To assign users to a role, navigate to Account > Admin roles. Search for and select the role, then Admins assigned card. Scroll down to the Google Vault section.
Vault Owners should have permission to manage retention policies, view all matters, and conduct audits. Importantly, this role should only have direct access to manage matters, holds, searches, or exports if explicitly required.
- From the Admin Console: To set role privileges, navigate to Account > Admin roles. Search for and select the role, then Privileges card. Scroll down to the Google Vault section.
- From the Admin Console: To assign users to a role, navigate to Account > Admin roles. Search for and select the role, then Admins assigned card. Scroll down to the Google Vault section.
Example Workflow
- Requesters submit a request to Vault Owners.
- Vault Owners review and approve or deny the request.
- Vault Admins process approved requests in Google Vault.
- Vault Owners verify the retrieved data meets the requester's needs.
- Vault Admins export the necessary data.
- Vault Admins share the data with the requester.
Next Steps
To further secure your domain:
- Demote Super Admins: Consider reducing the number of Super Admin accounts, restrict their Vault access, and avoid using these accounts for day-to-day operations.
- Establish a Digital Data Retention Policy: Work with your school board or administration to create a policy that dictates retention periods for digital data. Align your Vault retention settings, account lifecycle management, and any third-party backup solutions with this policy. Ensure data is expunged according to the retention period outlined.
If you need assistance in aligning your domain settings with educational best practices, contact your Google Customer Service Specialist (GCS) to request an audit overview call. If you don't have your GCS's direct email, complete this form and your GCS will receive your message.
Document Version | Date | Description of Change |
1.0 | 3/18/2024 | Update reference of RAM to GCSS |
1.1 | 5/28/2024 | Removed author block |
1.2 | 8/26/2024 | Rewrote, new images, reverify |